<p>Resource-based policies granting access to all users can lead to information leakage.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The AWS resource stores or processes sensitive data. </li>
  <li> The AWS resource is designed to be private. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>It’s recommended to implement the least privilege principle, i.e. to grant necessary permissions only to users for their required tasks. In the
context of resource-based policies, list the principals that need the access and grant to them only the required privileges.</p>
<h2>Sensitive Code Example</h2>
<p>This policy allows all users, including anonymous ones, to access an S3 bucket:</p>
<pre>
import { aws_iam as iam } from 'aws-cdk-lib'
import { aws_s3 as s3 } from 'aws-cdk-lib'

const bucket = new s3.Bucket(this, "ExampleBucket")

bucket.addToResourcePolicy(new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    actions: ["s3:*"],
    resources: [bucket.arnForObjects("*")],
    principals: [new iam.AnyPrincipal()] // Sensitive
}))
</pre>
<h2>Compliant Solution</h2>
<p>This policy allows only the authorized users:</p>
<pre>
import { aws_iam as iam } from 'aws-cdk-lib'
import { aws_s3 as s3 } from 'aws-cdk-lib'

const bucket = new s3.Bucket(this, "ExampleBucket")

bucket.addToResourcePolicy(new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    actions: ["s3:*"],
    resources: [bucket.arnForObjects("*")],
    principals: [new iam.AccountRootPrincipal()]
}))
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege">AWS Documentation</a> - Grant least
  privilege </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/732">CWE-732 - Incorrect Permission Assignment for Critical Resource</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/284">CWE-284 - Improper Access Control</a> </li>
  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222620">Application Security and
  Development: V-222620</a> - Application web servers must be on a separate network segment from the application and database servers. </li>
</ul>
